NEW YORK -- Passwords, credit cards and other sensitive data are at risk after security researchers discovered a problem with an encryption technology used to securely transmit email, e-commerce transactions, social networking posts and other Web traffic.

Security researchers say the threat, known as Heartbleed, is serious, partly because it remained undiscovered for more than two years. Attackers can exploit the vulnerability without leaving any trace, so anything sent during that time has potentially been compromised. It's not known, though, whether anyone has actually used it to conduct an attack.

Researchers are advising people to change all of their passwords.

Only about 600 of the 10,000 busiest websites are believed to be vulnerable to the flaw, said Wolfgang Kandek, chief technology officer for Redwood City security company Qualys. But he added that many small websites also may be at risk, because such sites often prefer using the free, easy to obtain open-source encryption software

Kandek said it remains unclear if any crooks have taken advantage of the flaw to steal sensitive data from vulnerable sites.

"It's really impossible at this point in time to know," he said, since the problem was only recently discovered.

The flaw was discovered independently in recent days by researchers at Google and the Finnish security firm Codenomicon.

Advertisement

The breach involves SSL/TLS, an encryption technology marked by the small, closed padlock and "https:" on Web browsers to signify that traffic is secure. With the Heartbleed flaw, traffic was subject to snooping even if the padlock had been closed.

The problem affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the Internet.

Researchers at Codenomicon say that OpenSSL is used by two of the most widely used Web server software, Apache and nginx. That means many websites potentially have this security flaw. OpenSSL is also used to secure email, chats and virtual private networks, which are used by employees to connect securely with corporate networks.

A software fix came out Monday.

While applying the software update is relatively easy, Kandek added, many affected websites will now have to have their encryption keys recertified as safe. That's because even with the software fix, unsafe keys can enable hackers to cause mischief on sites.

Yahoo's Tumblr blogging service uses OpenSSL. In a blog post Tuesday, officials at the service said they had no evidence of any breach and had immediately implemented the fix.

"But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit," Tumblr's blog post read. "This might be a good day to call in sick and take some time to change your passwords everywhere -- especially your high-security services like email, file storage, and banking, which may have been compromised by this bug."

Yahoo said its other services, including email, Flickr and search, also have the vulnerability. The company said some of the systems have already been fixed, while work is being done on the rest of Yahoo's websites.

The company reiterated its standard recommendation for people to change passwords regularly and to add a backup mobile number to the account. That number can be used to verify a user's identity if there are problems accessing the account because of hacking.